Paid features In an era where hackers are everywhere, the fastest-growing security threat to business data may now be self-harm from cloud service misconfiguration. This is ironic.
In the cloud, misconfiguration refers to any error in the way the service is set up, which may expose the environment to vulnerabilities. These types of errors have always been part of corporate IT, but they usually don’t sweat in corporate data centers. In the cloud, life is very different. Here, the impact of any error will be magnified, sometimes because it can be detected from the public, but also because of the way security controls work in the cloud.
Focusing on accidental configuration errors runs counter to the traditional assumption that the greatest threat always comes from outside or malicious. There is no doubt that when the vulnerability is exploited, it is because professional hackers or possibly malicious insiders noticed the error. But the deeper problem shouldn’t be just who took advantage of the error, but who caused it. In most cases, misconfigurations occur due to unintentional errors rather than maliciousness.
So, the question is why misconfigurations occur and how to prevent them. Every organization that migrates to cloud services needs to assume that misconfiguration is possible and is determined to implement the correct process to reduce this possibility.
This topic stems from Trend Micro’s recent analysis of high-profile cloud vulnerabilities, which led to the surprising conclusion that, in most cases, the exposure occurred after a misconfiguration. There was only one incident, the widely-analyzed internal violation of Capital One in 2019, involving two misconfigurations. The first was a Web Application Firewall (WAF) and the second was a server-side request forgery (SSRF) vulnerability.
As Trend Micro pointed out, Capital One is considered a mature cloud user. “This is a team that knows what they are doing. However, they still make mistakes.” The platform itself, AWS, is an blameless host.
When things go wrong
It is not difficult to find other examples that may be caused by configuration errors. In 2017, UpGuard researchers discovered a large number of US Central Command (Centcom) data caches, which anyone with a free AWS account can see. By default, the Amazon S3 bucket is private, which means that someone changed it by mistake, exposing three archives.
In 2019, Israeli researchers stumbled upon a 179GB AWS-hosted Elasticsearch travel and hotel reservation data database, which included some data related to U.S. military personnel. This list can continue to write a paragraph, but this paragraph is worth adding, just to emphasize how popular tools such as Elasticsearch have been carelessly caused disastrous consequences.
Most misconfigurations are not reported, and are not detected at all in unknown but possibly quite a few cases. In the 2021 Verizon Data Breach Report (DBIR), misconfiguration as the root cause of data breaches ranked second only to hacking.getting bigger
As cloud platforms have grown substantially, people are becoming more aware of cloud misconfigurations. This seems unstoppable, including remote work, the boom in artificial intelligence automation, the continued digitization of e-commerce, and the need to use cloud resources for resiliency, backup, and application development. Also at a lower level, the emergence of hybrid cloud technology makes it possible to mix and match different public clouds and private clouds under one code base and a set of development and management tools.
This huge expansion of cloud usage increases the risk and likelihood of violations in ways that not all organizations are willing to admit. When Trend Micro surveyed 2,500 global decision makers at the end of 2020, they found mixed evidence. On the one hand, 87% said that they fully or mostly control their remote working environment, and 51% believe that the acceleration of cloud migration is the impact of improving their security best practices.
But in other respects, cloud is associated with various security anxieties, and 45% of people believe this is a major obstacle to cloud adoption. The biggest operational concern is the ability to set consistent security policies (35%), secure traffic in and out of the cloud (33%), and patching (33%). Migrating to a new set of security tools is another topic, with data privacy (43%), employee training (37%), and compliance concerns (36%) listed as other obstacles.
Why does a configuration error occur?
Misconfigurations can occur at different levels, including cloud services, application configuration, virtualization or operating systems, and underlying hardware management. Sometimes these errors are simple oversights, and in other cases there are problems with the security process surrounding the controls. A complicating factor is the need to implement the same control over different and sometimes different services (such as AWS and Azure), which is becoming a more pressing issue with the popularity of hybrid clouds.
Trend Micro lists the top five errors that explain many misconfigurations.
Storage access
An AWS authenticated user with “full control” refers to anyone who has an account, not just an authorized user within the organization, as is usually assumed. As the aforementioned incidents have shown, this is one of the most common mistakes. Others include not turning on logging and failing to configure encryption properly. Anyone who is exposed to AWS should understand how to use the platform’s identity and access management (IAM) settings, define bucket policy rules, and implement access control.
Bad management of credentials
Secrets such as passwords, tokens, and API keys can be accidentally exposed in a variety of ways, including as part of public GitHub repositories because they are stolen, over-shared, or extended access to too many resources.
Disable logging
Logging keeps track of all changes and is the place where platform service announcements are made. Disabling or failing to turn on logging will prevent you from viewing evidence of unauthorized access or tracking emergency security or update announcements.
Legacy administrator behavior
Another common mistake is to allow access to containers and virtual machines using traditional protocols (such as FTP, telnet) or by exposing the Kubernetes cluster to the Shodan/etcd search engine.
Lack of verification
To make matters worse, many organizations lack proper systems to detect when a misconfiguration occurs. Ideally, this should be part of someone’s job description and run as a routine every time a change is made. This inspection process should also be integrated into the audit plan.
The “only test” fallacy
A common theme is how often developers publish test data to cloud databases and forget to protect it under the assumption that the data is not too sensitive or because the test is short-term. It’s as if the normal rules as test systems don’t apply or take too long to implement, or developers lack experience in using them.
Shared responsibility model
A secure cloud is always a hybrid of the cloud service provider’s platform and the customer’s management of the service. Evidence of frequent violations shows that customers tend to make assumptions about the responsibilities of service providers, or take risks with the platform rather than the way it is used.
In response to this, Amazon, Microsoft, and Google have released their respective versions of the Shared Responsibility Model (SRM), which broadly stipulates that providers are responsible for the platform and customers are responsible for data, depending on whether the cloud service is IaaS, PaaS or SaaS.
Fixing hole
Cloud security can be upgraded in many ways, including implementing least-privileged access, enabling audit logs, firewalling unauthorized traffic, strengthening identity and access management, more frequent key rotation, and enabling multi-factor authentication for all administrator access. Likewise, the responsibilities under SRM need to be carefully analyzed, rather than being considered read.
But the most important remedy is to build a system that can detect and quickly correct misconfigurations. Trend Micro’s approach to this problem is Trend Micro Cloud One-Conformity, which provides central visibility and real-time monitoring of cloud infrastructure. Conformity can perform nearly 1,000 different configuration best practice checks and automatic repairs for AWS, Azure, and Google Cloud in hybrid cloud settings.
The benefit of the misconfiguration checking system is that it reduces the burden that may become a complex task, reduces exposure risk in a measurable way, and integrates it into the audit process. This is even necessary. This is another warning lesson on how not to adopt new technologies. The cloud has revolutionized enterprise computing, but it shouldn’t need a growing list of embarrassing vulnerability victims to ensure its security.
Sponsored by Trend Micro.
